Welcome, guest | Sign In | My Account | Store | Cart

An Easy way to Marshal Data In Python By Sending Dictionaries of Python Data To And From Client/Server Solutions. Can Be Used In A Lot Of Ways in XmlRpc, HTTP/HTTPS Posts, RAW Sockets etc.

Python, 32 lines
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import base64
from array import array


class StupidSimpleDataMarshal:
    def SendData(self, var):
        return base64.b64encode(var.__repr__())
    
    def ReceiveData(self, Data):
        return eval(base64.b64decode(Data))
    
################################################################################



x = dict()

x["myString"]       = "TestString"
x["myFloat"]        = 5.764
x["myList"]         = ["Blah", "Crap"]
x["myDict"]         = {'Bob':"Is Cool", 'Terry':"Is A Jerk"}
x["myBinaryArray"]  = array('B', "Uber Amounts of Binary Data")

SSDM = StupidSimpleDataMarshal()

dataToSocket    = SSDM.SendData(x)
dataFromSocket  = SSDM.ReceiveData(dataToSocket)

print dataToSocket

for k, v in dataFromSocket.iteritems():
    print k, v, type(v)

  

2 comments

Adam Olsen 13 years, 9 months ago  # | flag

eval() on user input (ie from a socket) is a gross security problem. Don't touch this one even with a 10 foot pole.

AJ. Mayorga (author) 13 years, 9 months ago  # | flag

@Adam thats alittle harsh I think. Yes eval has 'potential' to be a security issue but that is a matter of implementation not an aspect of eval itself likewise with any data serialization methods e.g.(pickle, marshal, etc.). Eval's context can be restricted by limiting access to globals and locals (http://docs.python.org/library/functions.html#eval) and of course any and all data inputs should be run through preprocessing validation routines as a matter of good practice. Also dependent on the nature of the data to be moved the selected protocol and encryption level is a matter of concern as well. The intended purpose of this particular recipe also was not for handling commandline inputs, But for simplifying client/server data marshaling. All that aside this recipe does not introduce a security issue at all even if a variable had malicious data in it consider.

`input_A = 'print "This is Bad" '
 input_B = 'eval("THIS IS REALLY BAD")'

 DataInputs = {'BAD':input_A, 'SUPERBAD':input_B}

 SSDM = StupidSimpleDataMarshal()

 dataToSocket = SSDM.SendData(DataInputs)
 dataFromSocket = SSDM.ReceiveData(dataToSocket)

 print DataInputs

 for k, v in dataFromSocket.iteritems():
     print k, v, type(v)`

The marshaled vars themselves never have eval called on them and eval is not recursive so only the repr dict obj is found eval pays no mind to its elements.

So done this way and having proper input validation and error checking and appropriate selection of protocol/encryption there is little in the way of a security issue.

Created by AJ. Mayorga on Mon, 10 May 2010 (MIT)
Python recipes (4591)
AJ. Mayorga's recipes (7)

Required Modules

  • (none specified)

Other Information and Tasks